The city of Columbus, Ohio, has confirmed that a cyberattack in July, which affected nearly half a million people, was perpetrated by a foreign ransomware group. This group, identified as Rhysida, attempted to extort the city, stealing and posting sensitive data online as evidence of their breach. According to Columbus officials, this intrusion highlights the increasing vulnerability of public sector systems as they grapple with escalating cyber threats.
Ohio’s recent struggles with cyber threats exemplify the mounting risks that state and local governments face, from municipal networks to critical infrastructure. While cybersecurity threats have been prominent for years, these attacks on smaller governmental entities are hitting closer to home, putting residents’ personal information and city operations at risk. With a 6.5-terabyte data breach, Rhysida demonstrated a level of sophistication and scale not often associated with smaller municipalities, reminding officials and residents alike that local governments are prime targets for such attacks.
Ohio Under Siege: A Series of Cyberattacks on Public Sector Networks
The July incident in Columbus is one of several high-profile cyberattacks that have recently plagued Ohio. Cleveland also faced a separate cyber threat earlier this year. These recurring incidents have driven Ohio officials to release additional financial resources and support to help affected cities shore up their defenses. The Ohio state government has pledged assistance, yet cybersecurity analysts say the problem may outpace the state's resources.
According to Coley Anderson, Vice President of Moody’s Ratings, state-backed resources may offer some relief to Ohio’s municipalities, but these attacks highlight a far more troubling trend: cyber threats against local governments are no longer just a possibility—they are an inevitability. “It’s a matter of when, not if, a municipality is the target of a cyberattack,” Anderson said. “Cyber risk awareness is growing among municipalities, but they still lag the private sector in prevention, planning, and response.”
A Widening Gap in Preparedness and Awareness
A recent report from Suffolk County, New York, sheds light on the inadequate planning and oversight that leave many government systems vulnerable. The report cites a lack of proactive measures and ignored warnings as primary factors behind a devastating ransomware incident. The story echoes Ohio’s current plight, where under-resourced IT systems and limited cybersecurity protocols make government agencies easy prey.
“Despite recent advances in cybersecurity, protecting personal data is still a massive problem that costs organizations, on average, $4.88 million annually,” says Patrick Harding, Chief Architect at Ping Identity. “Recent ransomware attacks affecting hundreds of thousands of individuals is a stark reminder of the increasing sophistication of threat actors as they leverage AI to scale their attacks. Many users still underestimate these risks, with 97% expressing concerns about their data being online but only 8% fully trusting organizations to protect their identity data, even lower than last year.”
A Call for Modernized Cybersecurity Strategies
The issue extends beyond municipalities’ inability to patch vulnerabilities quickly or secure resources; it’s also a matter of approach. Legacy security architectures and outdated data protection policies are failing against increasingly sophisticated tactics, especially those enabled by artificial intelligence. With public concern growing—yet only 8% of individuals fully trusting organizations to protect their data—experts argue that it’s time for governments to adopt more advanced defenses.
Cybersecurity professionals suggest that cities consider adopting a Zero Trust architecture, which assumes that any network or device could be compromised and verifies each request as though it originated from an open network. “Thankfully, there are solutions that strengthen resilience against threats while providing frictionless digital experiences for the user,” Harding explains. “Verification through multi-factor authentication (MFA) or passwordless techniques, such as biometrics, and a Zero Trust architecture enable robust security while delivering convenient digital experiences that minimize risk.”
Such measures, combined with consistent security awareness training, could reduce exposure to attacks like the one Columbus faced. And with the financial impact of fraud—a top concern for nearly 18% of the population—growing every year, many cybersecurity experts argue that municipalities should be planning for these improvements now, with 2025 in mind.
A Future Roadmap for Cybersecurity in Local Government
As cyber threats continue to evolve, local governments face an urgent need to modernize their defenses. While Ohio’s recent experiences have spotlighted the issue, similar vulnerabilities exist nationwide. Anderson stresses that while awareness is increasing, municipalities still have a long road ahead to match the private sector in cybersecurity readiness. Without significant investment and strategic planning, more cities may find themselves at the mercy of ransomware groups like Rhysida.
In the meantime, residents of Columbus and Cleveland have been reminded of the real risks lurking in the digital world. The growing sophistication of cyberattacks is driving calls for new standards of data protection, even at the local government level. It’s no longer just about protecting city systems; it’s about securing citizens’ personal information and trust.
As Harding aptly concludes, “It’s critical that businesses—and municipalities—integrate more advanced strategies into their 2025 security planning.”